Inside Job

When it comes to patient information, the importance of maintaining proper data security can never be overestimated

Barry Hieb

Data security issues were brought to the fore last August when the Department of Veterans Affairs "lost" a hard drive containing 26.5 million patient records. This security breach was of potentially disastrous proportions, says Barry Hieb, analyst and research director at Gartner, Stamford, Conn. "The malice that could have been orchestrated with that many names, social security numbers, and insurance IDs is unfathomable," he says.

However, just as the dust of this latest security blunder had begun to settle, the Government Accountability Office (Washington) released a report citing that 17 security breaches had occurred in the 46 hospitals it has surveyed since 2003 — that's a 36 percent breach rate.

Threats from the inside

"Hospitals spend millions of dollars on firewalls, intrusion detection, anti-virus, and vulnerability applications, all trying to keep people out of their system. But often, the biggest threats come from within an organization," explains Hieb.

As hospitals and patients become increasingly eager to embrace the digital age, more and more information is being siphoned across the Internet. "Although you are providing tremendous access and efficiencies to a hospital by providing this plethora of information, you are also increasing the risk that this information can be accessed by the wrong person," says John DeSantis, CEO of TriChipher, Los Gatos, Calif.

Internal threats are as varied as they are creative. A common risk for healthcare providers is the theft of services. This is usually referred to as friendly fraud. For instance, someone uses their cousin's insurance ID to undergo medical procedures, DeSantis says.

There is also the problem of a hospital employee stealing social security or insurance numbers and selling them on the black market, he explains. And, although it sounds particularly morose, he claims that some employees have been known to use patients' private health conditions, such as HIV status, as a blackmailing tool. "If you'd asked me two or three years ago I would have said that these kinds of incidences are pretty rare, but we're starting to hear about them more and more," DeSantis says.

But why are internal threats such a problem? "The insider is someone you've already given a trusted credential to. You never know when you've given the wrong person the 'keys to the kingdom,â€™â€ says DeSantis. Hospitals typically have thousands of employees, and trying to keep track of "who is authorized to access what" is an onerous process, he contends.

However, not all security breaches are malicious, some are purely unintentional. If a breach occurs when an authorized person divulges private information, this is generally referred to as a breach of privacy, explains John Houston, vice president, privacy and information security and assistant counsel, University of Pittsburgh Medical Center (UPMC).

For example, a UPMC physician unwittingly exposed a patient's private information by including it in a posted presentation on the hospital's Web site, he explains. "He should have known better," Houston says, "but the issue still remains — a patient's private records were out in the public domain."

Hospital data can also be unintentionally exposed through peer-to-peer networks.

Napster is a good example of this, Houston says. When you share files with other people, if you inappropriately configure the software, every file on your computer can be potentially accessible to anyone on that network, he explains. So if somebody downloads a song from a network, in theory they could be exposing every file in their computer to anyone using the same network. "UPMC has implemented software to catch and stop peer-to-peer networks, and staff members are reprimanded if they are caught using them," Houston says.

Ricky Johnston

Keeping data secure

Although there are a myriad of security solutions available, Ricky Johnston, vice president of information systems-operation at Tenet Health, Dallas, says. "There is no alternative to having enterprise wide data security policies and procedures that are well understood and strictly enforced." The creation of security policies is not a static process, Johnston says, and needs to be updated as new technologies become available and new vulnerabilities are identified.

To Johnston, maintaining the security of hospital data is a two-pronged approach, comprised of credentialing and authentication. Every hospital should have a credentialing office, where people manually and electronically check employee credentials, such as university degrees and diplomas for physicians. Tenet Health uses a credentialing software application called Echo, provided by HealthLine Systems, San Diego. "We do all our research in-house, but we use the Echo application to record credentials. Ultimately, there's no way of circumventing the manual process of having a staff member check to see if a physician has the appropriate degree," he explains.

According to Hieb, credentialing software is essentially a recording and storage application. However, newer credentialing applications are also being used to track the performance of an individual, such as how many operations a surgeon has performed in a particular area, or what continuing education modules have they completed, he explains.